#!/usr/bin/perl
#***********************************************************************
#
# FILE NAME : emailalert.pl
#
# DESCRIPTION : This file is a perl script that will be executed as an
# action when an IDS-MC Event Rule triggers, and will send an
# email to $EmailRcpt with additional alert parameters (similar to
# the functionality available with CSPM notifications)
#
# NOTE: this script only works with 3.x sensors, alarms from 4.0
# sensors are stored differently and cannot be represented
# in a similar format.
#
# NOTE: check the "system" command in the script for the correct
# format depending on whether you're using IDSMC/SecMon
# v1.0 or v1.1, you may need the "-on" command-line option.
#
# NOTE : This script takes the ${Query} keyword from the
# triggered rule, extracts the set of alarms that caused
# the rule to trigger. It then reads the last alarm of
# this set, parses the individual alarm fields, and
# calls the legacy script with the same set of command
# line arguments as CSPM.
#
# The calling sequence of this script must be of the form:
#
# emailalert.pl "${Query}"
#
# Where:
#
# "${Query}" - this is the query keyword dynamically
# output by the rule when it triggers.
# It MUST be wrapped in double quotes when specifying it in the Arguments
# box on the Rule Actions panel.
#
#
#***********************************************************************
##
## The following are the only two variables that need changing. $TempIDSFile can be any
## filename (doesn't have to exist), just make sure the directory that you specify
## exists. Make sure to use 2 backslashes for each directory, the first backslash is
## so the Perl interpretor doesn't error on the pathname.
##
## $EmailRcpt is the person that is going to receive the email notifications. Also
## make sure you escape the @ symbol by putting a backslash in front of it, otherwise
## you'll get a Perl syntax error.
##
$TempIDSFile = "c:\\temp\\idsalert.txt";
$EmailRcpt = "nobody\@cisco.com";
##
## pull out command line arg
##
$whereClause = $ARGV[0];
##
## extract all the alarms matching search expression
##
$tmpFile = "alarms.out";
## The following line will extract alarms from 1.0 IDSMC/SecMon database, if
## using 1.1 comment out the line below and un-comment the other system line
## below it.
## V1.0 IDSMC/SecMon version
system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");
## V1.1 IDSMC/SecMon version.
## system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\"");
##
# open matching alarm output
if (!open(ALARM_FILE, $tmpFile)) {
print "Could not open ", $tmpFile, "\n";
exit -1;
}
# read to last line
while (<ALARM_FILE>) {
$line = $_;
}
# clean up
close(ALARM_FILE);
unlink($tmpFile);
##
## split last line into fields
##
@fields = split(/,/, $line);
$eventType = @fields[0];
$recordId = @fields[1];
$gmtTimestamp = 0; # need gmt time_t
$localTimestamp = 0; # need local time_t
$localDate = @fields[4];
$localTime = @fields[5];
$appId = @fields[6];
$hostId = @fields[7];
$orgId = @fields[8];
$srcDirection = @fields[9];
$destDirection = @fields[10];
$severity = @fields[11];
$sigId = @fields[12];
$subSigId = @fields[13];
$protocol = "TCP/IP";
$srcAddr = @fields[15];
$destAddr = @fields[16];
$srcPort = @fields[17];
$destPort = @fields[18];
$routerAddr = @fields[19];
$contextString = @fields[20];
## Open temp file to write alert data into,
open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n";
## Now write your email notification message. You're writing the following into
## the temporary file for the moment, but this will then be emailed. Use the format:
##
## print (OUT "Your text with any variable name from the list above \n");
##
## Again, make sure you escape special characters with a backslash (note the : in between $sigId
## and $subSigId has a backslash in front of it)
print(OUT "\n");
print(OUT "Received severity $severity alert at $localDate $localTime\n");
print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n");
print(OUT "$contextString");
close(OUT);
## then call "blat" to send contents of that file in the body of an email message.
## Blat is a freeware email program for WinNT/95, it comes with VMS in the
## $BASE\CSCOpx\bin directory, make sure you install it first by running:
##
## blat -install <SMTP server address> <source email address>
##
## For more help on blat, just type "blat" at the command prompt on your VMS system (make
## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE
## you run the install, that'll make sure your system can always find it).
system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");